Zulip Desktop prior to 5.4.3 allows XSS because string escaping is mishandled during composition of the HTML for the user interface.
zulipchat zulip desktop